TIM (telecommunications operator): Insufficient legal basis for data processing

Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods. For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres.

GDPR Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 32 GDPR
Industry: Media, Telecoms and Broadcasting